|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] Making shadow passwords compulsory
Michael.James
csiro.au
Date: Mon Sep 29 2003 - 19:41:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> On Mon, 29 Sep 2003 05:41 pm, Michael James asked:
>> When "passwd" runs for a user
>> who doesn't have a line in /etc/shadow
>> it just bungs the encrypted string into /etc/passwd! Argh!
>> Nobody ever wants to go back to un-shadowed passwords.
>> How can I turn off this unwantedly obliging behaviour?
On Mon, 29 Sep 2003 05:41 pm, Dirk Schreiner wrote:
> now see, this is the default how passwd works under
> Linux. (Not only SuSE ;-))
Well, IMNSHO this is a Bad Thing (TM).
In the absence of a shadow entry for the user in question
passwd could grumble and fail, or it could create one.
But it should NEVER put a password in a world readable file
not even after hashing it. That's a throwback to before 1995.
> If you want to restrict use of passwd to certain users,
> you should play with chmod and chown.
I've already done this, and wrapped passwd in a script that
gives users more explaination than just "permission denied"
--
Michael James michael.jamescsiro.au
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]